Windows - Security - Mitigate MpSigStub Vulnerability (CVE-2023-38175)

What the MpSigStub binary remover does

This Automox Worklet™ removes the Microsoft Defender signature stub binary, MpSigStub.exe, from Windows endpoints where Defender is disabled and a third-party antivirus product is in use. The Worklet targets the planting surface associated with CVE-2023-38175, a Microsoft Defender elevation of privilege vulnerability that Microsoft addresses through Defender platform updates. On endpoints where Defender no longer runs, those updates never arrive and an orphaned stub stays on disk indefinitely.

The evaluation phase reads Microsoft Defender's AntivirusEnabled property through Get-MpComputerStatus and only proceeds when the property returns false. On Defender-protected endpoints the Worklet exits compliant without touching the file system, so a single policy can target a mixed population that includes both Defender-protected and third-party-AV endpoints. On endpoints where Defender is off, the Worklet checks for the stub at %SystemRoot%\Sysnative\MpSigStub.exe (which resolves to C:\Windows\System32\MpSigStub.exe on 64-bit Windows) and flags the endpoint for remediation if the file is present.

The remediation phase deletes the binary using [System.IO.File]::Delete(), verifies the file no longer exists, and exits 0 on success. The Try/Catch block surfaces permission errors and file locks in Automox activity logs so a failed deletion is visible to the operator rather than silently passing as compliant.

Why patch the MpSigStub binary planting vector

CVE-2023-38175 is a Microsoft Defender elevation of privilege vulnerability (CWE-59, improper link resolution before file access) that Microsoft fixed in Defender platform builds prior to 1.1.23060.3001. A local attacker who can stage controlled content where the Defender service follows it can gain elevated execution. Microsoft Defender signature stub binaries that ship with the platform (such as MpSigStub.exe) have a history of being staged in writable locations by setup or rollback scenarios. When the stub is invoked from such a directory, a local attacker who can plant a like-named DLL nearby may hijack execution as the elevated process. The platform fix ships through Defender platform updates, but endpoints running third-party antivirus typically have Defender turned off and never receive those updates, so an orphaned stub remains on disk as a planted-binary opportunity that vulnerability scanners continue to flag.

CVE-2023-38175 is an elevation-of-privilege flaw in the leftover MpSigStub.exe binary that Windows Defender stages in C:\Windows. The binary is only relevant on endpoints running a third-party AV stack where Defender is no longer the active engine, and Microsoft does not always clean it up when Defender is disabled. This Worklet removes the unused MpSigStub.exe from every Windows host the policy targets, and keeps vulnerability scanners quiet during PCI-DSS 6.3.3 and NIST 800-53 SI-2 audits by clearing the binary that scanners fingerprint as CVE-2023-38175.

How MpSigStub.exe removal works

1. Evaluation phase: The Worklet runs Get-MpComputerStatus | Select-Object -ExpandProperty AntivirusEnabled to read Defender's current state. If AntivirusEnabled returns true, the script writes "Microsoft Defender is enabled. Device is compliant" and exits 0. If AntivirusEnabled is false, the script calls [System.IO.File]::Exists($env:SystemRoot\Sysnative\MpSigStub.exe). Endpoints where the file is absent exit 0 as compliant; endpoints where the file is present exit 2 to flag remediation. The use of the Sysnative alias preserves the 64-bit System32 view even when PowerShell runs from a 32-bit host process.

2. Remediation phase: The remediation script repeats the Defender check (so a state change between evaluation and remediation does not delete the stub on a now-protected endpoint), then calls [System.IO.File]::Delete($fileToCheck) inside a Try/Catch. After the delete call the script verifies removal with another [System.IO.File]::Exists() probe. Success writes "MpSigStub.exe file was successfully removed" and exits 0. A file lock, ACL issue, or other failure writes "Failed to remove the MpSigStub.exe file" or "Error removing the file: $_" and exits 2 so Automox reports the endpoint as still non-compliant.

MpSigStub remediation requirements

• Windows 10, Windows 11, or Windows Server endpoint with Microsoft Defender disabled (Get-MpComputerStatus must still load even when Defender's real-time protection is off)

• Active third-party antivirus product, registered with Windows Security Center, that is replacing Defender as the primary AV

• Automox agent running with SYSTEM-level rights (the default), required to delete a file owned by TrustedInstaller in System32

• PowerShell 5.1 or later with the Defender module loaded; if Get-MpComputerStatus is not present the Worklet exits non-zero on the evaluation script

• Optional ACL hardening (advised): if your build process recreates the stub in a writable working directory, follow up with a Worklet that runs icacls C:\Windows\Temp /inheritance:r /grant:r SYSTEM:F Administrators:F to remove the writable surface that makes binary planting practical

• Critical: do not deploy this Worklet on endpoints where Microsoft Defender is the primary AV. The evaluation phase guards against this case, but scoping the policy to your third-party-AV endpoint groups removes any chance of running the deletion on a protected endpoint.

Expected endpoint state after MpSigStub removal

After successful remediation, %SystemRoot%\Sysnative\MpSigStub.exe no longer exists on the endpoint. The Automox activity log shows "MpSigStub.exe file was successfully removed" and an exit code of 0. Subsequent evaluation runs find no file and report the endpoint as compliant without invoking the remediation script again, so the policy is safe to keep on a recurring schedule.

Validation steps an operator can run after the policy completes:

• Test-Path "$env:SystemRoot\System32\MpSigStub.exe" should return False on a remediated endpoint.

• Get-AuthenticodeSignature "$env:SystemRoot\System32\MpSigStub.exe" should report the file as missing rather than as a valid signed Microsoft binary, confirming the planting target is gone.

• Re-run your vulnerability scanner of choice (Tenable, Qualys, Rapid7) against the endpoint and confirm CVE-2023-38175 no longer appears in the finding list.

If your team later re-enables Microsoft Defender, the stub will return only when signature updates flow through Microsoft Update or WSUS; standalone Mpam-fe.exe installs and UNC-path signature drops will not recreate the binary. The fix maps to NIST 800-53 SI-2 (Flaw Remediation) and PCI-DSS 6.3.3 (Apply applicable security patches) for audit evidence, and it removes the writable-directory binary planting surface a local attacker would use to chain CVE-2023-38175 into elevated execution.